I dont know what the deal is but occasionally I see my password in plain text in my url bar, surely displaying this isnt the best or most secure practice for a website of geeks.

See below, it mainly happens when I go to GeekZone for the first time in a while, some sort of redirect takes place putting my user name and password up for whoever happens to be on my computer or glancing over my shoulder.

patznz: No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.

The page is only loaded when you click login, so unless someone already knows your password, they are not going to be able to access your account.

Even if the login system was changed from GET to POST, your username/password are still going to be sent unencrypted to the Geekzone server, which can be intercepted in transit. Then the argument comes up of using SSL (similar to banks) to prevent this.

Seriously, if someone did get into your account, what's the worst they can do?

codyc1515: Why dont they fix it then, they've clearly had more than enough time?I emailed them about this months ago, and never heard anything back!

I reply to all emails, and I didn't receive anything.

As for the URL you see, it looks like you bookmarked the login page - check that. It shouldn't "show" on your browser as it is a redirect - unless you bookmark that specific URL.

Search for a recent (last week) discussion called "IP Addresses" and read through it. In short, your password is hashed in our database. It's only unencrypted when doing a submit to our server. The worst thing it could happen is someone use your password to log into another service.

Being a geek I am sure you use a different password for each different service, right?

PenultimateHop:There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path. If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.

For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

Not in the slightest. Security is a serious consideration; and anything but best practices encourages complacency. There are mechanisms out there to permit secure transactions across the Internet, and their usage should be encouraged.

meesham: For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

While I agree that people using public wifi should be keeping themselves safe, again it encourages complacency especially when you could reasonably assume that a technology focused site would be following best practices for securing data. Of course, you can also reasonably argue that a technology savvy user would be keeping themselves secure or be aware of the risks involved, but frankly if a hammer is available why would you use a spoon?

meesham: Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

That is a poor excuse and very much a red herring. SNI (RFC3546) works around that problem, as does using multiple ports for separate SSL virtual hosts, as does having a single generic SSL site for multiple other sites. Additionally a site like Geekzone is already running on its own IP address.

IPv4 depletion is a real problem, but it is not an excuse for avoiding SSL.

Have you guys read the other discussion as suggested? There are ways around it - we have a SSL cert on Geekzone for about three years now. Can we submit to a SSL login, save a token to the database, return it to the non-SSL session already in progress (or create a new one) with that one token? Yes, we can.

Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Yes, I am thinking of a solution, no it won't be something like "or, turn on SSL it's all fixed now".

freitasm: Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Heard of cookies? Thats exactly what it is supposed to prevent (putting session data in the url etc)Putting the password or any sensitive data in the url makes it show up in web history which is very very bad in all security books.... (even over ssl)